The Cybersecurity Maturity Model Certification (CMMC) has been years in the making, and after rounds of drafts, updates, and industry feedback, it’s finally official. On September 10, 2025, the Department of Defense (DoD) published the final CMMC rule in the Federal Register.
That date marked the end of the rulemaking process, but not the start of enforcement. The real milestone is November 10, 2025—the day the DoD begins requiring CMMC compliance in certain contracts.
So, if you’re a federal contractor (or aspiring to be one), here’s the short answer: CMMC compliance is required starting November 10, 2025, for new contracts that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
But the full story involves a phased rollout, different levels of certification, and some careful planning for businesses that want to stay competitive in the defense contracting space. Let’s break it down.
📌 Final Rule Published: September 10, 2025
📌 Enforcement Start Date: November 10, 2025
What Happens on November 10, 2025?
Level 1 and Level 2 self-assessments required in applicable DoD contracts
DoD may require third-party Level 2 assessments in some cases
Applies to contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
CMMC Rollout Timeline:
Nov 10, 2025 → Phase 1: Level 1 & Level 2 self-assessments begin
Nov 10, 2026 → Phase 2: Level 2 third-party assessments required
Nov 10, 2027 → Phase 3: Level 3 assessments introduced
Nov 10, 2028 → Phase 4: Full implementation
If you’re bidding on DoD contracts after November 10, 2025, CMMC compliance will be required.
Think of CMMC as the DoD’s way of raising the bar on cybersecurity for its contractors.
If your company only handles Federal Contract Information (FCI)—the kind of information needed to perform a federal contract but not intended for public release—you’ll need to meet CMMC Level 1.
If you deal with Controlled Unclassified Information (CUI)—sensitive information that isn’t classified but could harm national security if mishandled—you’ll need at least CMMC Level 2, and in some cases, even Level 3.
Yes. Whether you’re a prime contractor bidding directly with the DoD or a subcontractor working under a prime, CMMC applies to you if you handle FCI or CUI. That includes small businesses—there’s no exemption for company size.
For more detail on whether your organization falls under CMMC, see: Who Needs CMMC Compliance?
The DoD isn’t flipping the switch overnight. Instead, it’s using a four-phase rollout to gradually introduce requirements across contracts. Here’s the timeline you should know:
| Phase | Start Date | What’s Required |
|---|---|---|
| Phase 1 | Nov 10, 2025 | Level 1 & Level 2 self-assessments required in contracts. DoD may request some third-party Level 2 assessments. |
| Phase 2 | Nov 10, 2026 | Level 2 third-party assessments become mandatory for contracts involving CUI. |
| Phase 3 | Nov 10, 2027 | Level 3 assessments introduced for the most sensitive contracts. |
| Phase 4 | Nov 10, 2028 | Full implementation across all applicable contracts. |
This timeline matters because it gives contractors a chance to prepare. But here’s the catch: if you plan on bidding for contracts after November 10, 2025, you don’t have until 2028—you’ll need to be compliant at the level required for that contract right away.
Here are the dates every defense contractor should circle on their calendar:
September 10, 2025 → Final rule published in the Federal Register.
November 10, 2025 → Enforcement begins (Phase 1). Level 1 & Level 2 self-assessments required.
November 10, 2026 → Level 2 third-party assessments kick in.
November 10, 2027 → Level 3 assessments introduced.
November 10, 2028 → Full rollout complete.
Technically, the rule went into effect when it was published, but enforcement doesn’t begin until November 10, 2025. That’s when contractors will start seeing CMMC requirements in solicitations and contracts.
You can find the official update straight from the DoD here: DoD CMMC Program Overview
If November 2025 feels close—it is. Implementing cybersecurity improvements, documenting your processes, and preparing for assessments takes time. Here’s how to get started without feeling overwhelmed:
Figure out your required CMMC level. If you’re only handling FCI, you’ll likely only need Level 1. If you work with CUI, you’re looking at Level 2 or 3.
Run a gap analysis. Compare your current security practices against the CMMC requirements. This will highlight what’s missing.
Plan for the long-lead items. Some requirements, like continuous monitoring or security awareness training, take months to roll out effectively.
Don’t underestimate documentation. A self-assessment or audit is only as strong as the proof you can provide. Policies, procedures, and evidence of implementation all matter.
Consider outside help. If your internal IT team is already stretched thin, managed compliance services can speed up the process and keep you on track for deadlines.
The key takeaway? Don’t wait until you see CMMC in your contract—by then, it’s too late to start.
One of the most common questions we hear is: “How much is this going to cost?” The answer: it depends on your level.
Level 1 (Self-assessment): Costs are relatively low and mostly tied to staff time and documentation.
Level 2 (Self or third-party): Costs vary significantly. A self-assessment is cheaper, but if DoD requires a third-party audit, expect higher expenses.
Level 3: These are the most expensive, since they involve advanced controls and mandatory third-party audits.
Costs also vary depending on your current cybersecurity maturity—if you already have strong controls in place, the leap may not be as large.
For a more detailed breakdown, check out: How Much Does CMMC Certification Cost?
CMMC is no longer just a talking point—it’s officially here. The final rule has been published, and the first enforcement date is November 10, 2025.
If you’re a DoD contractor, here’s the reality:
You’ll need to meet CMMC requirements for contracts you pursue after that date.
Self-assessments start first, but third-party assessments and higher-level requirements are on the horizon.
Waiting until the last minute is risky. Contractors who prepare early will have a competitive edge.
The question “When is CMMC compliance required?” now has a clear answer: starting November 10, 2025, and ramping up each year until full implementation in 2028.
CMMC is coming fast. Talk to BEMO’s experts and get a clear plan for compliance.